and more in a single search tool across platforms. Read the announcement here. |
07/21/2022 12:41 AM
HI team,
We have a requirement where we have to reject the SOD conflicting roles and allow other roles for approval.
We have used SOD > 0 in the workflow and it is rejecting all other roles submitted in the same request.
Is there a way we can reject only the conflicting entitlements and send remaining entitlements for approval.
Example: If i have submit for role1 , role2 and role 3 if role1 and role2 have conflict , WF should reject role1 and role 2 and send role 3 for approval.
Appreciate your response
07/21/2022 02:00 AM
07/21/2022 02:47 AM
10/14/2022 07:43 AM
Hello,
I am looking for a similar use case where in if any of the roles in the request are SOD critical should be auto rejected ELSE that are non-critical should go for the normal route of approval/approvals. But when I try to add a if block - 'SODViolation.Critical > 0' the whole request is getting auto rejected when it finds even one SOD critical role.
In the logs looks like the workflow variables irrespective of having multiple roles in a request are considered as a whole so is this scenario achievable?
[https-jsse-nio-8443-exec-24] TRACE services.WorkflowService - workflow variables= [sodevaluationstatus:12, dynamicAttributes:[:], role:Payroll Administrator, SYSCRITICALCOUNT:0, requestduedate:Mon Oct 24 14:34:17 UTC 2022, endpointMap:[:], reqid:4272, RequestAccessKeys:[5487, 5488], requestedby:iamadmin, JRMViolation:[], ars_requests:com.saviynt.ecm.workflow.ARS_Requests : 4272, SOXCRITICALCOUNT:0, requiredrequestornot:, requestedon:Fri Oct 14 14:34:17 UTC 2022, requestaccesskey:5487,5488, RequestedFor:14617, ffidpreapprovedmap:[:], endpoints:[:], entitlementslist:[5488:Payroll Administrator, 5487:MTESTNET AD Basic Azure Account Provisioning], manager:p010, securitysystem:[:], dynamicAttributesReqAccess:[:], quorum:2, SOD:1, entMap:[5488:Payroll Administrator, 5487:MTESTNET AD Basic Azure Account Provisioning], SODViolation:[Critical:1], totalsapaccounts:6, roleownerslist:[], RequestedBy:14363, requestcounts:[NEW_ACC_REQUESTS_COUNT:0, ADD_ACCESS_REQUESTS_COUNT:0, REMOVE_ACCESS_REQUESTS_COUNT:0, MODIFY_ACC_REQUESTS_COUNT:0, DELETE_ACC_REQUESTS_COUNT:0], externalSODViolation:[:], user:T-S404, role_endpoint:WorkDay]
Thanks,
Umang
10/14/2022 07:48 AM
Full Request will be auto rejected as workflow is not sure which entitlements are violating the SOD in other terms we don't have any filter to route non SOD request to other route.
However rejecting full reject is correct consider saviynt support partial reject then sod evolution should be done again which is missing here.